Kimley-Horn and Associates, Inc. successfully secured the transfer of the typosquatted domain kimlery-horn.com from respondent Jon Baxter. The disputed domain was registered in October 2025 and configured with MX servers to execute an attempted business email compromise (BEC) attack against one of the Complainant’s clients. WIPO Panelist Nels T. Lippert ordered the immediate transfer of the domain to prevent further fraudulent activities.
Case Snapshot
| Case Number | D2025-5346 |
|---|---|
| Complainant | Kimley-Horn and Associates, Inc. |
| Respondent | Jon Baxter, kimlery-horn llc |
| Disputed Domain | kimlery-horn.com |
| Threat Tactic | Typo Domains |
| Decision Date | 2026-02-18 |
| Panelist | Nels T. Lippert |
| Outcome | Transfer |
| Official Source | https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2025-5346 |
Deceptive Corporate Impersonation and High-Risk Business Email Compromise Threat
The deployment of the typosquatted domain kimlery-horn.com—which substitutes the keyboard-adjacent sequence "ery" for "ey" in the Complainant’s KIMLEY-HORN trademark—creates immediate operational and commercial risks through targeted communication interception. By configuring active MX (mail exchange) records on the disputed domain, the Respondent established a functional communication infrastructure designed to masquerade as legitimate corporate employees. This setup allowed the threat actor to intercept emails and execute deceptive interactions, utilizing the subtle visual similarities of the domain to bypass standard digital security filters and basic human scrutiny.
The primary commercial impact of this specific technical configuration is its utilization in corporate impersonation and Business Email Compromise (BEC) attacks targeting the Complainant’s active clients. When third-party partners or clients receive messages from an address that closely mimics a trusted engineering and planning consulting firm, the potential for unauthorized financial transfers or the leakage of proprietary project communications increases. Because the exact financial parameters and the specific identity of the targeted client remain confidential, the structural risk is highly pronounced for any enterprise whose external stakeholders rely on digital invoicing and electronic project communications.
Furthermore, the business threat is amplified by the tactical attempts to fabricate administrative legitimacy. The Respondent registered the domain under a deceptive shell designation, "kimlery-horn llc," utilizing a proxy privacy service and the physical address of a Mississippi law firm with which they had no legitimate association. This deliberate strategy of corporate mimicry complicates internal brand protection efforts, as actors attempt to justify bad-faith registration under the guise of business entities. Brand protection professionals must treat domains with active MX records as imminent threat vectors, regardless of whether the domain’s public-facing web interface remains a seemingly benign parking page.
Panel Evaluation of Confusing Similarity, Legitimate Interests, and Bad Faith
Under the first element of Paragraph 4(a) of the UDRP Policy, Panelist Nels T. Lippert analyzed the structural composition of the disputed domain name, kimlery-horn.com, against the Complainant’s registered trademark, KIMLEY-HORN. The panelist accepted the Complainant’s demonstration of long-standing rights in the mark, which has been used since 1967 and is protected by multiple United States trademark registrations dating back to 2003. The panel concluded that the disputed domain represents a deliberate, keyboard-adjacent typosquatting tactic, where the letters ‘e’ and ‘r’ are positioned next to each other on a standard keyboard, creating an intentional misspelling designed to deceive users while maintaining close visual similarity to the protected mark.
Regarding the second element, the panelist scrutinized the Respondent’s claims of legitimacy. The Respondent registered the domain under the name ‘Jon Baxter, kimlery-horn llc’ and associated it with a physical address belonging to a law firm in Mississippi. The Complainant successfully argued that the Respondent was never authorized or licensed to use the KIMLEY-HORN trademark, nor was it commonly known by the disputed domain name. The panel determined that the creation of the shell entity ‘kimlery-horn llc’ and the provision of misleading contact data did not establish bona fide rights or legitimate interests, especially since the registration was executed to facilitate a deceptive impersonation scheme.
The finding of bad faith registration and use under the third element was anchored by clear technical and operational evidence. Although the disputed domain resolved to a parking page at the time of the proceeding, the Complainant presented evidence that the Respondent had configured active MX email servers. These servers were deployed to intercept communications and masquerade as actual employees of Kimley-Horn and Associates, Inc. in a business email compromise (BEC) attack targeting one of the Complainant’s clients. The combination of active deceptive email configurations, the use of a proxy service to shield the registrant’s true identity, and the provision of false contact information led the panel to order the transfer of the domain.
For brand protection professionals and corporate counsel, this dispute highlights key strategies for neutralizing active cyber threats. The decision demonstrates that panels will find bad faith even when a domain appears to be passively parked, provided there is technical evidence of active MX records configured for phishing or BEC. Rapid legal mobilization remains highly effective; filing the UDRP complaint on December 19, 2025, shortly after the domain’s registration in October 2025, allowed the Complainant to dismantle the fraudulent infrastructure and prevent further unauthorized interception of sensitive client communications.
Strategic Integration of Technical MX Record Audits and Deceptive Entity Exposure
The Complainant’s strategy succeeded by combining clear evidence of typosquatting with technical proof of active mail exchange (MX) record configurations. Rather than relying solely on the visual similarity of the keyboard-adjacent typo ‘kimlery-horn.com’ (replacing ‘ey’ with ‘ery’), the Complainant presented concrete evidence that the domain was actively configured to route emails. By documenting that the Respondent used these MX records to masquerade as legitimate corporate employees and target an active client in a business email compromise (BEC) scheme, the Complainant established an irrefutable case of bad faith registration and use under the UDRP.
Furthermore, the Complainant successfully dismantled the Respondent’s attempt to fabricate rights or legitimate interests through a shell entity registration. The Respondent had registered the domain under the name ‘Jon Baxter, kimlery-horn llc’ using a Mississippi law firm’s physical address. The Complainant exposed this setup as a bad faith masquerade, demonstrating that the newly formed LLC and the false contact details were created solely to facilitate fraud. Acting swiftly by filing the dispute on December 19, 2025—just over two months after the October registration—allowed the Complainant to rapidly neutralize the active phishing threat and prevent further deceptive communication with its client base.
Practical Recommendations
- Implement proactive domain monitoring that alerts security teams not only to look-alike registrations but specifically to the activation of MX (mail exchange) records on those domains, as active MX records are key indicators of impending business email compromise (BEC) attacks.
- Act swiftly to initiate UDRP proceedings (e.g., within weeks of discovery) when active client-targeted phishing or corporate impersonation is detected, using the rapid filing to neutralize the deceptive domain and mitigate financial and reputational fallout.
- When confronting respondents who use shell companies (e.g., ‘kimlery-horn llc’) to feign legitimacy, verify and challenge their corporate details—such as highlighting fake addresses or law firm locations—to successfully dismantle their claims of ‘rights or legitimate interests’ before the WIPO panel.
- Document and present comprehensive evidence of actual deceptive use, including forensic details of email impersonation schemes or outreach to clients, to decisively establish both bad faith registration and use under the UDRP even if the domain currently resolves to a parked page.
Frequently Asked Questions (FAQ)
Why was the domain name ‘kimlery-horn.com’ considered confusingly similar to the Kimley-Horn brand?
The WIPO panel determined that ‘kimlery-horn.com’ uses an intentional ‘keyboard-adjacent’ typo, replacing the ‘ey’ in Kimley with ‘ery’. Because ‘e’ and ‘r’ are located next to each other on a standard keyboard, the panel found this misspelling was a calculated effort to deceive users of the legitimate KIMLEY-HORN mark.
How did the respondent attempt to establish fake legitimacy for the domain?
The respondent registered a shell entity named ‘kimlery-horn llc’ and utilized a law firm’s address to provide a veneer of business legitimacy. The panel rejected this as a bona fide right, finding it was a deceptive tactic solely used to facilitate an attempted business email compromise (BEC) attack against the complainant’s clients.
What evidence proved the respondent acted in bad faith?
Bad faith was confirmed by the configuration of active MX email records, which allowed the respondent to intercept and spoof internal communications as if they were legitimate Kimley-Horn employees. Further evidence included the use of a privacy proxy service to conceal identity and the provision of false contact information.
What is the primary lesson from this case regarding business email compromise (BEC) threats?
This case highlights the critical importance of monitoring for typosquatted domains that include active mail server (MX) configurations. The panel’s decision to order a transfer emphasizes that rapid UDRP action can effectively neutralize an impersonation campaign before it causes financial or reputational damage to the firm’s clients.
Detecting Look-Alike Domains Before They Become BEC Threats
This case highlights how typosquatted domains—like the one used in the Kimley-Horn BEC attempt—often harbor hidden MX records for email interception. Proactive identification of these look-alikes is critical to stopping impersonation before it reaches your clients.
This case note is for informational purposes only and is not legal advice.



